New! OWASP ASIDE has an educational branch, named ESIDE (Educational Security in the IDE), details are described [here].

Introduction

ASIDE is an abbreviation for Application Security plugin for Integrated Development Environment. It is an Eclipse Plugin which is a software tool primarily designed to help developers write more secure code by detecting and identifying potentially vulnerable code and providing informative fixes during the construction of programs in IDEs.

Description

ASIDE CodeRefactoring for Education is an Eclipse plugin that aims to detect root cause of vulnerabilities that are caused by untrusted inputs get in to the application and be consumed without validation, and provide interactive code refactoring support for students and professional developers to learn secure programming practices and write more secure code.

ASIDE CodeAnnotate is another Eclipse plugin which deals with a different class of vulnerabilities that are more application logic specific. Specifically, it is aimed at addressing CSRF and broken access control issues while the developers are writing their code.

An older version of ASIDE DEMO shows you earlier design and implementation of CodeRefactoring, if you are interested in knowing. You will need Adobe Flash to display it.

Licensing

OWASP ASIDE is free to use. It is licensed under the http://creativecommons.org/licenses/by-sa/3.0/ Creative Commons Attribution-ShareAlike 3.0 license], so you can copy, distribute and transmit the work, and you can adapt it, and use it commercially, but all provided that you attribute the work and if you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one.

What is ASIDE?

OWASP ASIDE provides:

Interactive Static Analysis support to developers in Eclipse IDE (for Java and PHP) to detect and mitigate software vulnerabilities in the code

Interactive Secure Programming Education opportunities in IDE for students as well as professional developers to help them write more secure code as well as learn best secure programming practices

Project Leaders

Related Projects

Openhub

Quick Download

Runnable plugins and installation guidelines

The recent publicly available ASIDE CodeRefactoring plugin can be downloaded from here. You also need to download the complementary logging facility to make ASIDE work properly. ASIDE CodeRefactoring is built upon Eclipse IDE for Java EE Developers Version 3.5+. To make it work, please place the two jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse.

The recent publicly available ASIDE CodeAnnotate plugin can be downloaded from here. ASIDE CodeAnnotate is built upon Eclipse IDE for Java EE Developers Version 3.5+. To make it work, please place the jar files under the plugins folder of your Eclipse installation directory and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from here.

New! We recently released a version of ASIDE CodeAnnotate plugin for Eclipse PHP Development Environment. It is built upon Eclipse PDT framework, you can download the plugin here. As it is still in incubator phase at this point, we recommend you to first install the configured Eclipse PHP package we provide on Linux, which can be downloaded here, and then place the jar file under the plugins folder of the Eclipse installation directory, and then restart your Eclipse. Demo of how to run CodeAnnotate can be viewed from here. A good PHP open source project you can try the plugin against is Moodle;

In Print

N/A

Classifications

ASIDE project has been continuously under active research, development, and evaluation.
Involvement in the development and promotion of ASIDE is actively encouraged!
You do not have to be a security expert in order to contribute.
Some of the ways you can help:

Try ASIDE and email your feedback, comments to the project leaders.

Do pilot study with ASIDE in your team, and the project leaders would love to collaborate!

ESIDE

Introduction

ESIDE (Educational Security in the IDE) enhances the secure coding instructional process by turning
the student's IDE into a real-time secure programming instructional resource. This approach capitalizes
on the out of class, in the IDE time by providing layered educational opportunities whenever the
student writes specific code patterns (i.e., vulnerable code) in a fashion similar to Microsoft's Grammar
Checker. In this manner, ESIDE provides students with the opportunity to learn secure coding
principles and practices concurrently with the lessons they are learning in their respective courses.

Description

Deployed as an Eclipse IDE Java plugin, ESIDE continuously searches for predetermined code patterns
(e.g., request.getParameter();). Whenever a student writes targeted code, they are provided with an
interactive system that provides a layered educational opportunity. Because students are contextually
“in the moment” when the support becomes available, they are more receptive to making the
connection between classroom principles and coding practices. A secondary effect is the exponential
increase in instructional exposure which has been proven to be successful in other instructional areas.
The overall goal of ESIDE is to serve as an effective means to educate students at every level on the
principles and practices of secure coding throughout their educational experience. To this end, we have
developed ESIDE's interactive process as follows: The moment target code is written, ESIDE initiates
a layered educational intervention based on the targeted code. The first layer is a warning icon that
is placed in the left margin of the code editor. Hovering the icon reveals a short message that
encourages further interaction. When the student clicks the icon, ESIDE generates a
content specific list of educational options. Each of these options are accompanied with a short
explanation of the issue at hand. For each generated list, there also exists the option to
access an explanation page that provides a more comprehensive explanation of what was
discovered, why it is important, and how to integrate the provided principles into coding practices.

4. Fall, 2013 – Interactive walk through study with 4 JCSU early students

5. Fall, 2013 – Seven day assignment study with 57 Elon University students

Priorities and get involved

As of October 13, 2014 the priorities are:

Developing more controls for faculty members to modify educational content

Develop a means to control when students are first exposed to warnings. Ideas include:

1. The tool monitors code and only provides warnings after the student has successfully
written a particular code pattern x amount of times.
2. Faculty are provided with a means to unlock warnings based on student readiness.
3. Students are asked if they are ready for a particular interaction.

Involvement in the development and promotion of ESIDE is actively encouraged! You do not have to
be a security expert in order to contribute. Some of the ways you can help: Individuals who are interested in content contribution, usability evaluation or deploying ESIDE in their classroom would be wonderful!!

Take a Look

ASIDE is still under development. But in order to give you a sense of what it should be doing, we have this ASIDE DEMO. You will need Adobe Flash to display it.